Yes, it is true that adopting harmonised European provisions under the third pillar requires unanimity in the European which is difficult to achieve. Difficult but not impossible and the proposers of the original Framework Decision on the subject (including Ireland and the UK) had made some headway in that regard back in September 2005 when both the European Parliament started to kick off. Also - and this is probably more important in the short term - in the absence of harmonising EU law, every member state would have been able to adopt its own data retention laws. That would have been great news for human rights organisations in places like Austria, whose government has long opposed data retention on principle, and Germany, where the Constitutional Court may very well have put a stop to it. But in places like Ireland, Italy and, not least, the UK we may well have ended up with laws which require providers to retain more types of data for longer than the maximum of 24 months allowed under the directive. Furthermore, much of the Council decisions come about as a result of horse-trading behind closed doors. At least, the involvement of the European Parliament guarantees some sort of political transparency, even though - as in this case - this will not always protect us from undesirable outcomes. So right on, ECJ, you did well.
But what does it all mean for individuals' right to privacy? Well, the bad news is that ISPs and telecommunication providers will now initially have to retain communications data for between 6 and 24 months. The technology and the infrastructure for this will have to be set up, costed and funded. And we know how it goes - once that infrastructure is in place, both the state and the providers will most probably manage to find a use for it even of the Directive is eventually binned. A frightening thought!
However, the ECJ has not yet examined the question of the Directive's compatibility with fundamental human rights, in particular with the right to privacy under Article 8 of the European Convention of Human Rights (ECHR). Indeed, it has very clearly stated that the action brought by Ireland - and consequently its own decision - relates solely to the choice of legal basis and not to any possible infringement of fundamental rights arising from interference with the exercise of the right to privacy by the Directive. That, in a way, is a good thing, because it leaves the door open for a future challenge by data retention opponents who hope to be able to prove that blanket data retention is wildly disproportionate to the objective the Directive is set to achieve. Judicial or constitutional reviews relating to the compatibility with the right to privacy of national laws implementing the Directive are already pending in a number of member states including Germany and Ireland. The relevant courts may now refer any of those cases to the ECJ for preliminary ruling. The German Constitutional Court - bound as it is by its own "Solange II" principles (that it will not review the compatibility of EC legislation with the German Constitution as long as ("solange") the European Communities, and in particular the judicature of the ECJ, secure the protection of fundamental rights) - are the most likely suspect for such a reference. The Court has repeatedly postponed its own decision in the pending case - likely because of the impending ECJ ruling.
But the ECJ also made another interesting point: namely, it emphasised that the Directive merely relates to activities of communication service providers (the retention of communications data) and not to the activities of public and law enforcement authorities (access to the retained data). While factually correct, this could suggest that when the ECJ eventually receives a reference from a national court, it may limit its own jurisdiction to a review of the question whether the mere retention of data infringes fundamental rights rather than taking a "big-picture-view" of the matter and taking into account the effect that law enforcement's access to that data will have on those rights. It could argue that the mere retention of data does not infringe individual rights provided that access to that data is limited and subject to sufficient safeguards. As the access provisions and safeguards are currently contained in national law (here in the UK, access is governed by Part I Chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA) and a host of secondary regulation), the ECJ could rule itself out completely as a competent court to review the matter from that point of view leaving it instead to national courts to decide.
On the one hand, this could mean that data retention will come to be seen as be a beautiful example for a judicial game of "pass-the-parcel" where data retention provisions are quietly implemented all across Europe while the courts are sorting out their own compentency between themselves. On the other hand, such an approach by the ECJ could open up an opportunity for opponents provided they grasp it quickly and strongly enough.
Data retention opponents should now also consider the judicial review of national access provisions by the national courts as well as, ultimately, by the European Court of Human Rights in Strasbourg. To a varying extent, all EU member states are also signatories to the ECHR which means that their national laws are subject to that Court's jurisdiction once all national judicial remedies have been exhausted. In a UK context this could mean, that even if the ECJ, in a future action referred to it, determines that
- data retention alone is not enough to infringe people's fundamental rights
- it is not competent to review the access provisions that may be so infringing,
Like many others, lawyers advising data retention opponents have so far been puzzeld by the fact that the demarcation line between the jurisdiction of the ECJ and the ECtHR has never been clearly defined. Ever since the ECJ, in the case of Internationale Handelsgesellschaft v. Einfuhr und Vorratsstelle Getreide, confirmed that it would protect fundamental rights as general principles of EU law, the scene was set for a clash between the two courts, albeit that to date this clash has never materialised. It was thought, that data retention could have been the case, where this might finally happen.
However, unless the European Council adopts harmonised provisions on access to retained data which would bring the matter squarely within the ECJ's jurisdiction (probably unlikely, given how difficult it was to achieve consensus even on the retention of the data), civil rights organisations across the EU should now probably review their strategies and start planning for a two-pronged attack:
- Continue the judicial review of national laws implementing the Data Retention Directive with a view to a reference to the ECJ. Cross your fingers and hope.
- At the same time commence separate actions for judicial review of the related national access provisions arguing that they violate Art. 8 ECHR and that it would be inappropriate to refer those cases to the ECJ for preliminary decision, as they do not concern EU laws. If the national courts decide that those provisions do indeed violate Art. 8 ECHR, then - depending on the constitutional procedures of the relevant country - the provisions will either be void immediately or be declared "incompatible with human rights" leaving the legislator to amend the law. If the national court finds that access to retained data does not breach Art. 8 ECHR, the path to Strasbourg is clear. And it light of the court's most recent decision in the area of privacy and state surveillance, Matron can't help feeling that the chances of success in that court would be much better than before the ECJ.
However, even if a challenge before the ECtHR was successful, the problem of data retention may remain. Would the ECtHR assume jurisdiction on the retention provisions given that they are subject to review by the ECJ? If not, would national legislators, the European Institutions and/or the ECJ revise their position on data retention, if the ECtHR decided that access to the retained data breaches individuals' human rights? Data retention is expensive. National governments will (hopefully) not want to bear those cost or impose them on businesses operating from their territory if they cannot then access the data retained. An ECtHR decision condemning the right to access could therefore be a roundabout way to make them change their mind. But it's tricky. So "as long as" we don't know how best to tackle this we should probably tackle it any which way we can.